Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

A bank is commended for the language used in an account agreement

PIPEDA Case Summary #2004-263

[Principles 4.3, 4.3.2, 4.3.3]

Complaint

An individual complained that a bank was requiring its customers to consent to broad disclosure practices when completing an agreement form for a credit card account. The complainant highlighted a number of phrases in the consent form. He was particularly concerned about the requirement to consent to the collection and disclosure of "all" information about the applicant, not just the financial information to which the complainant believed a credit card company is legitimately entitled.

Summary of Investigation

The complainant was prompted to file his complaint after receiving an updated cardholder agreement form in the mail. The section dealing with privacy states:

Your personal information ...will be used only to make a decision regarding your application, to service your account, to offer products and services ...and to meet legal and regulatory requirements. Please be assured that the bank will obtain your permission to use your personal information for any other purpose and that you have a right to access your file and correct any information. For a copy of our privacy brochure, please write to ...the address below. If you would prefer that (we) ...not contact you to offer products and services, please write to: ...

The section of the cardholder agreement that was of particular concern to the complainant reads:

Collection and Use of Information: You consent to (the bank) establishing and maintaining a file of personal information about you and obtaining and exchanging, from time to time, all information about you (including credit information) with our branches, affiliates and agents and with any credit reporting agency ...

The bank's website has an on-line link to a complete statement of the bank's privacy policy and practices. It describes the categories of personal information, the purposes for the collection of the information, and the affiliates with whom the information might be shared, in some detail. It states, for example:

The nature of personal information we collect may include:

  • Information we receive from you ..., such as name, gender, address, telephone number, occupation, assets, income and language preference;
  • Information we receive ...when we are conducting a survey of your preferences, needs or interests;
  • Information about your transactions ..., such as account numbers, account balances, payment history, and account activity; ...

(The bank) may use the information ...for the following purposes:

  1. to make decisions about applications;
  2. to evaluate credit worthiness, monitor, service and collect your account; ...
  1. to understand your needs and to offer products and services to meet those needs;
  2. to allow our affiliates and selected companies to promote their products and services to you; ...

You may refuse or withdraw your consent to (vi) as explained in this document ...

From time to time, we may disclose ...marketing lists. These ...contain very general and non-sensitive information such as names, addresses and telephone numbers, and categories of goods and services reflecting your preferences and interests. In no case will sensitive information, including specific financial data or credit ratings, be disclosed without ...express positive consent ...

If you prefer to be removed from the marketing lists we may share with third parties, you are free to opt-out at any time by writing us at the address mentioned below ...

The paper copy of the application form invites the reader to either telephone (emphasis added) or write if he or she wishes to exercise their opt-out rights.

Findings

Issued January 12, 2004

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (Act) applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because the bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 stresses that knowledge is required as well as consent and states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. It further stipulates that, for consent to be meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.

The Assistant Commissioner deliberated as follows:

  • The bank draws the attention of new customers to its privacy policy and practices at the time that they apply. The revised Cardholder Agreement draws the attention of existing customers to the bank's privacy policy, and alerts the customer to his or her opt-out rights. These practices constitute a reasonable effort to advise customers of the bank's privacy practices, as required by Principle 4.3.2.
  • The privacy policy clearly explains the type of information that the bank collects, the uses to which it is put, and the contemplated disclosures. Applicants can easily and conveniently opt-out of the use and disclosure of their personal information for the secondary purpose of marketing, by calling or writing the bank. The bank is not requiring its customers to consent to broad disclosure practices, contrary to Principle 4.3.3.

The Assistant Commissioner found that the bank complies with the consent requirements of Principle 4.3. She commended the bank for its use of plain, simple, straight-forward language in its account agreement form and in its privacy policy.

She therefore concluded that the complaint was not well-founded.

Date modified: